Interpreting the HIPAA Audit Protocol for Health Lawyers

Size: px
Start display at page:

Download "Interpreting the HIPAA Audit Protocol for Health Lawyers"

Transcription

1 Interpreting the HIPAA Audit Protocol for Health Lawyers This webinar is brought to you by the Health Information and Technology Practice Group (HIT), and is co-sponsored by the Business Law and Governance (BLG); Hospitals and Health Systems (HHS); In-House Counsel (In-House); Labor and Employment (Labor); Long Term Care, Senior Housing, In-Home Care, and Rehabilitation (LTC-SIR); Payors, Plans, and Managed Care (PPMC); and Physician Organizations (Physicians) Practice Groups. June 21, 2012, 1:00-2:30 Eastern Presenters: Adam H. Greene, JD, MPH, Partner, Davis Wright Tremaine LLP, Washington, DC, Michael Mac H. McMillan, CISM, CEO, CynergisTek Inc., Austin, TX,

2 Agenda Background Audit Selection The Audit Process The Audit Protocol Initial Audit Results Audit Readiness 2

3 BACKGROUND 3

4 Past HIPAA Enforcement Complaints Compliance Reviews Breach Reports 4

5 Congress Requires Audits Section of the HITECH Act: The Secretary shall provide for periodic audits to ensure that covered entities and business associates that are subject to the requirements of [the HITECH Act, Privacy, and Security Rules], as such provisions are in effect as of the date of enactment of this Act, comply with such requirements. 5

6 HHS Contracts Out Audits Description Audit program development study Covered entity identification Vendor Booz Allen Hamilton Booz Allen Hamilton Status/ Timeframe Closed 2010 Open 2011 Develop audit protocol and conduct audits Evaluation of audit program KPMG, Inc. Open TBD To begin in

7 The Pilot Audit Program audits Covers privacy, security, and breach notification Staffed by contractor employees Focused on education and prevention 7

8 AUDIT SELECTION 8

9 Selection of Covered Entities Covered entities of all type and size Business associates possible in future audits Stratified, random selection based on size, type, and geography Selection is not based on prior incidents 9

10 The First 20 Audits Level 1 > $1B Level 2 $300M - $1B Level 3 $50M - $300M Level 4 <$50M Total Health Plans Health care providers Healthcare clearinghouses

11 THE AUDIT PROCESS 11

12 The Audit Timeline Notification letter sent to Covered Entity On-site field work Covered Entities review and comment on draft audit report 1 Day Min. 15 Days 3 10 Days Days 10 Days 30 Days Receiving and reviewing documentation and planning the audit field work Draft audit report Final audit report 12

13 Notification Notification will come by registered mail. The letter is addressed to the CEO so organizations need to redirect it as soon as it arrives. The clock starts with receipt of the letter. 15 days for documentation, days until on-site activity begins. Activate the audit response team, begin notifications, initiate action to respond to initial tasks. 13

14 Submit Documentation Attachment to the Notification letter. Items such as policies, procedures, plans, demographic information, forms, etc. Information is due within 15 business days of receipt of the Notification letter. Focus on initial tasks and coordination with Audit Team. 14

15 On-Site Data Collection Occurs days from receipt of Notification. On-site data collection can last from 3 10 business days and involve up to 5 auditors. Interviews of key personnel, other staff members, site walkthroughs, operational reviews, and requests for further information. Focus on final preparations and refresher training for staff. 15

16 Post On-Site Activity days after on-site visit to produce draft report. Expect additional questions/requests for information while report is being written. Focus on preparing response to audit findings Draft report is provided to the site. It includes site information, findings/recommendations, and request for response. 16

17 Draft Report & Response 10 business days to respond to deficiencies noted. Review report closely, identify clarifying questions, mitigating information, and plans for remediation. Take full advantage of expert advise from consultants and legal when developing response. 17

18 THE AUDIT PROTOCOL 18

19 Audit Procedures 68 Privacy Audit Procedures 77 Security Audit Procedures 10 Breach Notification Audit Procedures 19

20 Example of Audit Procedure (a)(1) Access Control - Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in (a)(4). 20

21 Example of Audit Procedure Key Activity Terminate Access If It Is No Longer Required (Cont d) Inquire of management as to whether there are separate procedures for terminating access to ephi when the employment of a workforce member ends, i.e., voluntary termination (retirement, promotion, transfer, change of employment) vs. involuntary termination (termination for cause, reduction in force, involuntary transfer). Inquire of management as to whether a standard set of procedures are in place to recover access control devices and deactivate computer access upon termination of employment. 21

22 Example of Audit Procedure Key Activity Terminate Access If It Is No Longer Required (Cont d) Obtain and review policy and procedures for terminating access to ephi and evaluate the content in relation to the specified performance criteria. Obtain and review evidence of monitoring to determine whether access to ephi is terminated in a timely manner. 22

23 Example of Audit Procedure Key Activity Terminate Access If It Is No Longer Required Obtain and review a standard set of procedures and evaluate the content in relation to the specified performance criteria. If the covered entity has chosen not to fully implement this specification, the entity must have documentation on where they have chosen not to fully implement this specification and their rationale for doing so. 23

24 Contents of Audit Procedures Inquire of management Obtain and review policies and procedures Obtain and review evidence/documentation If CE has chosen not to fully implement, then must have documentation of why 24

25 What s Missing? Standards against which CEs will be judged E.g., how often is periodic basis E.g., what safeguards are appropriate How is protocol applied differently to different sized entities? What is regulatory basis for much of protocol? E.g., For evaluations conducted by external consultants, determine if an agreement or contract exists and if it includes verification of consultants' credentials and experience. 25

26 The Audit Protocol can be found at: Remember: The Audit Protocol Is Not Law. Corollary 1: The Audit Protocol Is Not Even Agency Guidance Corollary 2: But, OCR likely has reviewed and approved the audit protocol. 26

27 INITIAL AUDIT RESULTS 27

28 28

29 29

30 30

31 31

32 32

33 AUDIT READINESS 33

34 Demonstration is key Policies are only the beginning. Auditors will want to see how policy has been enabled and is being enforced Testing, monitoring, auditing, investigative activity, log files, configurations, and other documentation will be required to prove controls exist Completeness, compliance, consistency and currency of policies, procedures and practices will be evaluated 34

35 It Starts With Policy Auditors will review policies for privacy, security and breach notification Conduct a gap analysis Understand relationship between policy written and controls employed and intelligence gleaned from risk analysis Organize policies, plans and procedures in an easily retrievable platform Ensure staff orientation 35

36 Proof of Implementation The audit protocol calls for developing proof that policies and controls have been effectively implemented Determine for each policy, plan or procedure what evidence can be produced to demonstrate compliance Incorporate periodic evaluations as part of an internal audit process Audit, test, repeat. 36

37 The Four C s Do you have a complete set of policies and procedures Do your policies and procedures meet all compliance requirements? Is all documentation current within appropriate guidelines? Is the consistency between policies, practices and controls? 37

38 Organize Documentation The initial request for documentation is time sensitive Create either a central repository or index for all documents related to compliance Determine appropriate retention periods Conduct periodic audits to ensure readiness to produce 38

39 Audit Response Team Identify audit response team Align readiness plans and activities with audit phases Establish primary POC for communications with audit team Prepare an orientation for the team Apply minimal necessary and access control practices Identify logistics support 39

40 Refresher Training Helps Conduct orientation for Management and workforce members Alert business associates and others of audit Conduct refresher training on compliance/policy information Review non-essential activities and eliminate distractions Engage legal and consulting support 40

41 Preparing for the On-Site Conduct walkthroughs and mock interviews with staff Create simple checklists for senior management, department heads and other key personnel Interview senior management personally Conduct mock audits (readiness/performance) Conduct review of documentation 41

42 Leadership is Key Keep motivation high; stress learning aspect of audit Institute system of regular feedback and reminders Communicate lessons learned to inform audit performance Remain flexible, positive, unflappable Stress transparency, openness and integrity in interactions 42

43 Preparing a Response Collect feedback all through audit process Conduct frequent debriefs to collect observations Identify any areas believed to be not relevant Engage consultants and legal advice when crafting responses Focus on plans for remediation and timelines 43

44 Final Report & Disposition Audits are designed to be a compliance improvement tool enforcement is not the intent OCR will use the audit reports to identify types of technical assistance and guidance should be developed OCR may determine that it is necessary to open a compliance review based on initial findings or evidence of neglect 44

45 The Role for Counsel: Pre-Audit Bring privacy and security audit program to the attention of client(s). Bring audit protocol to the attention of clients. Encourage use of protocol to improve preparedness. Clarify that protocol does not equate to legal requirements. Go beyond audit protocol where necessary. Use attorney-client privilege judiciously (e.g., analyzing strengths and weaknesses of compliance program). 45

46 The Role for Counsel: During Audit Ensure management understands risks. Not a routine audit. HHS has indicated that enforcement is not focus. Nevertheless, could lead to substantial settlement or penalty. Assist with limiting responses to facts and to scope of questions. Initial responses could become admissions in future settlement discussions or appeals. Coordinate response to draft audit report. Recognize that audience is OCR, not KPMG. 46

47 Questions 47

48 Thank You

49 Interpreting the HIPAA Audit Protocol for Health Lawyers 2012 is published by the American Health Lawyers Association. All rights reserved. No part of this publication may be reproduced in any form except by prior written permission from the publisher. Printed in the United States of America. Any views or advice offered in this publication are those of its authors and should not be construed as the position of the American Health Lawyers Association. This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering legal or other professional services. If legal advice or other expert assistance is required, the services of a competent professional person should be sought from a declaration of the American Bar Association 49

How to prepare your organization for an OCR HIPAA audit

How to prepare your organization for an OCR HIPAA audit How to prepare your organization for an OCR HIPAA audit Presented By: Mac McMillan, FHIMSS, CISM CEO, CynergisTek, Inc. Technical Assistance: 978-674-8121 or Amanda.Howell@iatric.com Audio Options: Telephone

More information

A smarter way to protect your brand. Copyright 2012 Compliance 360 All Rights Reserved

A smarter way to protect your brand. Copyright 2012 Compliance 360 All Rights Reserved A smarter way to protect your brand Minimizing Compliance Risks of Proactive OCR HIPAA Audits Copyright 2012 Compliance 360 All Rights Reserved Compliance 360 at a Glance Compliance, Risk and Audit Solutions

More information

Preparing for and Responding to an OCR HIPAA Audit

Preparing for and Responding to an OCR HIPAA Audit Preparing for and Responding to Carole Klove Carole.Klove@ucsfmedctr.or g Gerry Hinkley gerry.hinkley@pillsburylaw.com SIXTH NATIONAL HIPAA SUMMIT WEST October 10-12, 2012 Overview Background What to expect

More information

AHLA. B. HIPAA Compliance Audits. Marti Arvin Chief Compliance Officer UCLA Health System and David Geffen School of Medicine Los Angeles, CA

AHLA. B. HIPAA Compliance Audits. Marti Arvin Chief Compliance Officer UCLA Health System and David Geffen School of Medicine Los Angeles, CA AHLA B. HIPAA Compliance Audits Marti Arvin Chief Compliance Officer UCLA Health System and David Geffen School of Medicine Los Angeles, CA Anna C. Watterson Davis Wright Tremaine LLP Washington, DC Fraud

More information

Agenda. OCR Audits of HIPAA Privacy, Security and Breach Notification, Phase 2. Linda Sanches, MPH Senior Advisor, Health Information Privacy 4/1/2014

Agenda. OCR Audits of HIPAA Privacy, Security and Breach Notification, Phase 2. Linda Sanches, MPH Senior Advisor, Health Information Privacy 4/1/2014 OCR Audits of HIPAA Privacy, Security and Breach Notification, Phase 2 Linda Sanches, MPH Senior Advisor, Health Information Privacy HCCA Compliance Institute March 31, 2014 Agenda Background Audit Phase

More information

HIPAA Privacy, Security and Breach Notification Audits

HIPAA Privacy, Security and Breach Notification Audits HIPAA Privacy, Security and Breach Notification Audits Program Overview & Initial Analysis Verne Rinker JD, MPH 2013 NIST / OCR Security Rule Conference May 21-22, 2013 Program Mandate HITECH Act, Section

More information

Lessons Learned from OCR Privacy and Security Audits

Lessons Learned from OCR Privacy and Security Audits Lessons Learned from OCR Privacy and Security Audits Program Overview & Initial Analysis Linda Sanches, MPH Verne Rinker, JD MPH Presentation to IAPP Global Privacy Summit March 7, 2013 Program Mandate

More information

The HIPAA Audit Program

The HIPAA Audit Program The HIPAA Audit Program Anna C. Watterson Davis Wright Tremaine LLP The U.S. Department of Health and Human Services (HHS) was given authority, and a mandate, to conduct periodic audits of HIPAA 1 compliance

More information

2012 HIPAA Privacy and Security Audits

2012 HIPAA Privacy and Security Audits Office of the Secretary Office for Civil Rights (OCR) 2012 HIPAA Privacy and Security Audits Linda Sanches OCR Senior Advisor, Health Information Privacy Lead, HIPAA Compliance Audits OCR 1 Agenda Background

More information

BNA s Health Law Reporter

BNA s Health Law Reporter BNA s Health Law Reporter Reproduced with permission from BNA s Health Law Reporter, 20 HLR 1272, 08/18/2011. Copyright 2011 by The Bureau of National Affairs, Inc. (800-372-1033) http://www.bna.com HHS

More information

Ready for an OCR Audit? Will you pass or fail an OCR security audit? Tom Walsh, CISSP

Ready for an OCR Audit? Will you pass or fail an OCR security audit? Tom Walsh, CISSP Ready for an OCR Audit? Will you pass or fail an OCR security audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS What would you do? You receive a phone call from your CEO. They just received

More information

OCR HIPAA AUDITS THEY RE BACK!

OCR HIPAA AUDITS THEY RE BACK! OCR HIPAA AUDITS THEY RE BACK! Chris Apgar, CISSP 2016 OVERVIEW OCR Audit Program Overview What to Expect if OCR s Auditors Show Up Potential Penalties and Other OCR Actions How to Prepare for an Audit

More information

OCR Launches Phase 2 HIPAA Audits for Covered Entities and Business Associates: Are You Ready?

OCR Launches Phase 2 HIPAA Audits for Covered Entities and Business Associates: Are You Ready? Presenting a live 90-minute webinar with interactive Q&A OCR Launches Phase 2 HIPAA Audits for Covered Entities and Business Associates: Are You Ready? Developing, Ensuring and Documenting HIPAA and HITECH

More information

HIT Audit Workshop. Jeffrey W. Short. jshort@hallrender.com

HIT Audit Workshop. Jeffrey W. Short. jshort@hallrender.com HIT Audit Workshop Jeffrey W. Short jshort@hallrender.com 1 Audits and Investigations to be Discussed Meaningful Use Audits HIPAA Audits Data Breach Investigations Software Vendor Audits FTC Investigations

More information

OCR HIPAA Audits. Disclaimer. Message. I am here for your benefit. If you have questions, please ask. 1. Background 2. The Audit 3.

OCR HIPAA Audits. Disclaimer. Message. I am here for your benefit. If you have questions, please ask. 1. Background 2. The Audit 3. OCR HIPAA Audits Roger Brett Short Chief Compliance Officer October 2012 Disclaimer The information provided in this presentation does not constitute legal advice and is intended to be used for guidance.

More information

The Case For HIPAA Risk Assessment. Leader s Guide

The Case For HIPAA Risk Assessment. Leader s Guide 4547 The Case For HIPAA Risk Assessment Leader s Guide IMPORTANT INFORMATION FOR EDUCATION COORDINATORS & PROGRAM FACILITATORS PLEASE NOTE: In order for this program to meet Florida course requirements,

More information

Are You Prepared for an OCR HIPAA Audit or Investigation? February 15, 2012 ID Experts Webinar www.idexpertscorp.com

Are You Prepared for an OCR HIPAA Audit or Investigation? February 15, 2012 ID Experts Webinar www.idexpertscorp.com Are You Prepared for an OCR HIPAA Audit or Investigation? February 15, 2012 ID Experts Webinar www.idexpertscorp.com Mahmood Sher-Jan VP of Product Management mahmood.sher-jan@idexpertscorp.com Chris Apgar

More information

HIPAA and HITECH: New Rules, Trends and Traps for the Unwary

HIPAA and HITECH: New Rules, Trends and Traps for the Unwary HIPAA and HITECH: New Rules, Trends and Traps for the Unwary Elizabeth Tosaris, Partner October 22, 2015 Atlanta Austin Boston Chicago Dallas Hartford Hong Kong Houston Istanbul London Los Angeles Miami

More information

Preparing for HIPAA and Meaningful Use Compliance Audits

Preparing for HIPAA and Meaningful Use Compliance Audits Preparing for HIPAA and Meaningful Use Compliance Audits Presented by: David Holtzman VP of Compliance, CynergisTek CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com

More information

Cybersecurity in the Health Care Sector: HIPAA Responsibilities from a Legal and Compliance Perspective

Cybersecurity in the Health Care Sector: HIPAA Responsibilities from a Legal and Compliance Perspective Cybersecurity in the Health Care Sector: HIPAA Responsibilities from a Legal and Compliance Perspective July 23, 2013 Gerry Hinkley, Pillsbury Allen Briskin, Pillsbury Pillsbury Winthrop Shaw Pittman LLP

More information

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC Why Does Privacy and Security Matter? Trust Who Must Comply with HIPAA Rules? Covered Entities (CE)

More information

HIPAA and HITECH Compliance for Cloud Applications

HIPAA and HITECH Compliance for Cloud Applications What Is HIPAA? The healthcare industry is rapidly moving towards increasing use of electronic information systems - including public and private cloud services - to provide electronic protected health

More information

HIPAA Audits Are Here!

HIPAA Audits Are Here! HIPAA Audits Are Here! How to prepare for and what to expect when OCR comes knocking May 12, 2016 James B. Wieland, Principal, Ober Kaler Emily H. Wein, Principal, Ober Kaler David Holtzman, VP of Compliance,

More information

Creating Stable Security & Compliance Relationships

Creating Stable Security & Compliance Relationships Creating Stable Security & Compliance Relationships David Holtzman JD, CIPP/G VP, Compliance CynergisTek, Inc. James Wieland JD Principal Ober Kaler Welcome The slides for today s webinar are available

More information

2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.

2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec. The OCR Auditors are coming - Are you next? What to Expect and How to Prepare On June 10, 2011, the U.S. Department of Health and Human Services Office for Civil Rights ( OCR ) awarded KPMG a $9.2 million

More information

Texas Medical Records Privacy Act (a.k.a. Texas House Bill 300)

Texas Medical Records Privacy Act (a.k.a. Texas House Bill 300) Texas Medical Records Privacy Act (a.k.a. Texas House Bill 300) Ricky Link, Coalfire ISACA North Texas and IIA Fort Worth Chapters The Petroleum Club of Fort Worth March 4, 2014 1 About Coalfire Coalfire

More information

Lessons Learned from HIPAA Audits

Lessons Learned from HIPAA Audits Lessons Learned from HIPAA Audits October 29, 2012 Tony Brooks, CISA, CRISC Partner - IT Assurance and Risk Services HORNE LLP AGENDA HIPAA/HITECH Regulations Breaches and Fines OCR HIPAA/HITECH Compliance

More information

valueoutcome July Preparing for Phase 2: The next generation of HIPAA audits Organizations will face enhanced privacy and security scrutiny

valueoutcome July Preparing for Phase 2: The next generation of HIPAA audits Organizations will face enhanced privacy and security scrutiny valueoutcome July 2014 Preparing for Phase 2: The next generation of HIPAA audits Organizations will face enhanced privacy and security scrutiny Highlights 1. In preparation for Phase 2 audits, covered

More information

Key HITECH & Omnibus Rule Challenges Enforcement: Thinking Like OCR Audits, Audits & More Audits Hot Issues for 2015 Wrap Up

Key HITECH & Omnibus Rule Challenges Enforcement: Thinking Like OCR Audits, Audits & More Audits Hot Issues for 2015 Wrap Up David Holtzman, JD CIPP/G Vice President for Compliance CynergisTek, Inc. 1 Vice President, Compliance, CynergisTek, Inc. Subject matter expert in policy and compliance issues involving the HIPAA Privacy,

More information

Are You Ready for an OCR Audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS. What would you do? Session Objectives

Are You Ready for an OCR Audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS. What would you do? Session Objectives Are You Ready for an OCR Audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS What would you do? Your organization received a certified letter sent from the Office for Civil Rights (OCR)

More information

Privacy and Security requirements, OCR HIPAA Audits and the New Audit Protocol

Privacy and Security requirements, OCR HIPAA Audits and the New Audit Protocol Privacy and Security requirements, OCR HIPAA Audits and the New Audit Protocol 1 Learning Objectives Understand Privacy and Security Requirements Understand the new OCR audit protocol Learn how to prepare

More information

HIPAA Hot Topics. Audits, the Latest on Enforcement and the Impact of Breaches. September 2012. Nashville Knoxville Memphis Washington, D.C.

HIPAA Hot Topics. Audits, the Latest on Enforcement and the Impact of Breaches. September 2012. Nashville Knoxville Memphis Washington, D.C. HIPAA Hot Topics Audits, the Latest on Enforcement and the Impact of Breaches September 2012 Nashville Knoxville Memphis Washington, D.C. Overview HITECH Act HIPAA Audit Program: update and initial results

More information

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers Compliance Tip Sheet National Hospice and Palliative Care Organization www.nhpco.org/regulatory HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers Hospice Provider Compliance To Do List

More information

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually

More information

COMPLIANCE ALERT 10-12

COMPLIANCE ALERT 10-12 HAWAII HEALTH SYSTEMS C O R P O R A T I O N "Touching Lives Every Day COMPLIANCE ALERT 10-12 HIPAA Expansion under the American Recovery and Reinvestment Act of 2009 The American Recovery and Reinvestment

More information

HIPAA Privacy, Security, Breach, and Meaningful Use. CHUG October 2012

HIPAA Privacy, Security, Breach, and Meaningful Use. CHUG October 2012 HIPAA Privacy, Security, Breach, and Meaningful Use Practice Requirements for 2012 CHUG October 2012 The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Standards for Privacy of Individually

More information

2/9/2012. 2012 HIPAA Privacy and Security Audit Readiness. Table of contents

2/9/2012. 2012 HIPAA Privacy and Security Audit Readiness. Table of contents 2012 HIPAA Privacy and Security Audit Readiness Mark M. Johnson National HIPAA Services Director Table of contents Page Background 2 Regulatory Background and HITECH Impacts 3 Office of Civil Rights (OCR)

More information

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Note: Information provided to NCRA by Melodi Gates, Associate with Patton Boggs, LLC Privacy and data protection

More information

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview Updated HIPAA Regulations What Optometrists Need to Know Now The U.S. Department of Health & Human Services Office for Civil Rights recently released updated regulations regarding the Health Insurance

More information

OCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement

OCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement OCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement Clinton Mikel The Health Law Partners, P.C. Alessandra Swanson U.S. Department of Health and Human Services - Office for Civil Rights Disclosure

More information

2016 OCR AUDIT E-BOOK

2016 OCR AUDIT E-BOOK !! 2016 OCR AUDIT E-BOOK About BlueOrange Compliance: We specialize in healthcare information privacy and security solutions. We understand that each organization is busy running its business and that

More information

HIPAA Privacy Rule Policies

HIPAA Privacy Rule Policies DRAFT - Policies and Procedures PRIVACY OFFICE ASSIGNMENT AND RESPONSIBILITIES APPROVED BY: SUPERCEDES POLICY: Policy #1 ADOPTED: REVISED: REVIEWED: Purpose This policy is designed to assure the establishment

More information

NEW PERSPECTIVES. Professional Fee Coding Audit: The Basics. Learn how to do these invaluable audits page 16

NEW PERSPECTIVES. Professional Fee Coding Audit: The Basics. Learn how to do these invaluable audits page 16 NEW PERSPECTIVES on Healthcare Risk Management, Control and Governance www.ahia.org Journal of the Association of Heathcare Internal Auditors Vol. 32, No. 3, Fall, 2013 Professional Fee Coding Audit: The

More information

Carl Abramson Gerry Blass Susan A Miller

Carl Abramson Gerry Blass Susan A Miller Introductions 0 Carl Abramson has over 35 years of experience in management consulting, IT management, HIPAA compliance, Critical Infrastructure Cyber Security and business process analysis. Carl is President

More information

COMPLIANCE WITH LAWS AND REGULATIONS (CLR)

COMPLIANCE WITH LAWS AND REGULATIONS (CLR) Principle: Ensuring compliance with applicable laws, regulations and professional standards of practice implementing systems and processes that prevent fraud and abuse. 91 Compliance with Laws and Regulations

More information

Business Associates, HITECH & the Omnibus HIPAA Final Rule

Business Associates, HITECH & the Omnibus HIPAA Final Rule Business Associates, HITECH & the Omnibus HIPAA Final Rule HIPAA Omnibus Final Rule Changes Business Associates Marissa Gordon-Nguyen, JD, MPH Health Information Privacy Specialist Office for Civil Rights/HHS

More information

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule HIPAA More Important Than You Realize J. Ira Bedenbaugh Consulting Shareholder February 20, 2015 This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record

More information

Sunday March 30, 2014, 9am noon HCCA Conference, San Diego

Sunday March 30, 2014, 9am noon HCCA Conference, San Diego Meaningful Use as it Relates to HIPAA Compliance Sunday March 30, 2014, 9am noon HCCA Conference, San Diego CLAconnect.com Objectives and Agenda Understand the statutory and regulatory background and purpose

More information

Sustainable Compliance: A System for Ongoing Audit Readiness

Sustainable Compliance: A System for Ongoing Audit Readiness View the Replay on YouTube Sustainable Compliance: A System for Ongoing Audit Readiness FairWarning Executive Webinar Series November 14, 2013 Agenda Sustainable Compliance at St. Charles Health System

More information

HIPAA Security Overview of the Regulations

HIPAA Security Overview of the Regulations HIPAA Security Overview of the Regulations Presenter: Anna Drachenberg Anna Drachenberg has been assisting healthcare providers and hospitals comply with HIPAA and other federal regulations since 2008.

More information

Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015

Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015 Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015 Katherine M. Layman Cozen O Connor 1900 Market Street Philadelphia, PA 19103 (215) 665-2746

More information

HIPAA Enforcement. Emily Prehm, J.D. Office for Civil Rights U.S. Department of Health and Human Services. December 18, 2013

HIPAA Enforcement. Emily Prehm, J.D. Office for Civil Rights U.S. Department of Health and Human Services. December 18, 2013 Office of the Secretary Office for Civil Rights () HIPAA Enforcement Emily Prehm, J.D. Office for Civil Rights U.S. Department of Health and Human Services December 18, 2013 Presentation Overview s investigative

More information

Developing HIPAA Security Compliance. Trish Lugtu CPHIMS, CHP, CHSS Health IT Consultant

Developing HIPAA Security Compliance. Trish Lugtu CPHIMS, CHP, CHSS Health IT Consultant Developing HIPAA Security Compliance Trish Lugtu CPHIMS, CHP, CHSS Health IT Consultant Learning Objectives Identify elements of a HIPAA Security compliance program Learn the HIPAA Security Rule basics

More information

FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS

FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS James J. Eischen, Jr., Esq. October 2013 Chicago, Illinois JAMES J. EISCHEN, JR., ESQ. Partner at Higgs, Fletcher

More information

HIPAA Compliance: Are you prepared for the new regulatory changes?

HIPAA Compliance: Are you prepared for the new regulatory changes? HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed

More information

HIPAA Compliance Review Analysis and Summary of Results

HIPAA Compliance Review Analysis and Summary of Results HIPAA Compliance Review Analysis and Summary of Results Centers for Medicare & Medicaid Services (CMS) Office of E-Health Standards and Services (OESS) Reviews 2008 Table of Contents Introduction 1 Risk

More information

Arizona Physicians Group To Pay $100,000 To Settle HIPAA Charges

Arizona Physicians Group To Pay $100,000 To Settle HIPAA Charges Cynthia Marcotte Stamer Board Certified Labor and Employment Law Texas Board of Legal Specialization Primary Telephone: (214) 452-8297 24-Hour Telephone (469) 767.8872 Addison Telephone (972) 588.1860

More information

HIPAA Summit. March 10, 2011. Phyllis A. Patrick, MBA, FACHE, CHC Phyllis A. Patrick & Associates LLC

HIPAA Summit. March 10, 2011. Phyllis A. Patrick, MBA, FACHE, CHC Phyllis A. Patrick & Associates LLC HIPAA Summit March 10, 2011 Phyllis A. Patrick, MBA, FACHE, CHC Phyllis A. Patrick & Associates LLC The Secretary shall provide for periodic audits to ensure that covered entities and business associates

More information

HIPAA 203: Security. An Introduction to the Draft HIPAA Security Regulations

HIPAA 203: Security. An Introduction to the Draft HIPAA Security Regulations HIPAA 203: Security An Introduction to the Draft HIPAA Security Regulations Presentation Agenda Security Introduction Security Component Requirements and Impacts Administrative Procedures Physical Safeguards

More information

HIPAA Compliance Audits: Your Newest Risk: Are You Prepared?

HIPAA Compliance Audits: Your Newest Risk: Are You Prepared? HIPAA Compliance Audits: Your Newest Risk: Are You Prepared? Presented by: Melissa (Lisa) Thompson, JD, MPH and Elizabeth Lamkin, MHA Slide 1 Speakers Melissa (Lisa) Thompson, JD, MPH Partner Adelman,

More information

OCR HIPAA Security Audit Protocol a second look

OCR HIPAA Security Audit Protocol a second look OCR HIPAA Security Audit Protocol a second look On June 26, 2012, the Office for Civil Rights published its Audit Protocols for HIPAA Security, HIPAA Breach and Privacy at http://ocrnotifications.hhs.gov/hipaa.html.

More information

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style. Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style March 27, 2013 www.mcguirewoods.com Introductions Holly Carnell McGuireWoods LLP

More information

Overview of the HIPAA Security Rule

Overview of the HIPAA Security Rule Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this

More information

Security Is Everyone s Concern:

Security Is Everyone s Concern: Security Is Everyone s Concern: What a Practice Needs to Know About ephi Security Mert Gambito Hawaii HIE Compliance and Privacy Officer July 26, 2014 E Komo Mai! This session s presenter is Mert Gambito

More information

When HHS Calls, Will Your Plan Be HIPAA Compliant?

When HHS Calls, Will Your Plan Be HIPAA Compliant? When HHS Calls, Will Your Plan Be HIPAA Compliant? Petula Workman, J.D., CEBS Division Vice President Compliance Counsel Gallagher Benefit Services, Inc., Sugar Land, Texas The opinions expressed in this

More information

Auditing Security: Lessons Learned From Healthcare Security Breaches

Auditing Security: Lessons Learned From Healthcare Security Breaches Auditing Security: Lessons Learned From Healthcare Security Breaches Adam H. Greene, J.D., M.P.H. Davis Wright Tremaine LLP Washington, D.C. Michael Mac McMillan CynergisTek, Inc. Austin, Texas DISCLAIMER:

More information

What do you need to know?

What do you need to know? What do you need to know? DISCLAIMER Please note that the information provided is to inform our clients and friends of recent HIPAA and HITECH act developments. It is not intended, nor should it be used,

More information

Covered Entities and Business Associates: An Evolving Relationship

Covered Entities and Business Associates: An Evolving Relationship Covered Entities and Business Associates: An Evolving Relationship Rebecca L. Williams, RN, JD Partner, Chair of HEALTH/HIPAA Practice Davis Wright Tremaine LLP beckywilliams@dwt.com 1 No health care provider

More information

View the Replay on YouTube. Sustainable HIPAA Compliance: Enhancing Your Epic Reporting. FairWarning Executive Webinar Series October 17, 2013

View the Replay on YouTube. Sustainable HIPAA Compliance: Enhancing Your Epic Reporting. FairWarning Executive Webinar Series October 17, 2013 View the Replay on YouTube Sustainable HIPAA Compliance: Enhancing Your Epic Reporting FairWarning Executive Webinar Series October 17, 2013 Today s Panel Chris Arnold FairWarning VP of Product Management

More information

HIPAA Update. Presented by: Melissa M. Zambri. June 25, 2014

HIPAA Update. Presented by: Melissa M. Zambri. June 25, 2014 HIPAA Update Presented by: Melissa M. Zambri June 25, 2014 Timeline of New Rules 2/17/09 - Stimulus Package Enacted 8/24/09 - Interim Final Rule on Breach Notification 10/7/09 - Proposed Rule Regarding

More information

Key HIPAA HITECH Changes. Gina Kastel, Partner, Health and Life Sciences

Key HIPAA HITECH Changes. Gina Kastel, Partner, Health and Life Sciences Key HIPAA HITECH Changes Gina Kastel, Partner, Health and Life Sciences Agenda Business Associates Restrictions on Disclosures Access to PHI Notice of Privacy Practices Fundraising 2 Business Associates

More information

Shipman & Goodwin LLP. HIPAA Alert STIMULUS PACKAGE SIGNIFICANTLY EXPANDS HIPAA REQUIREMENTS

Shipman & Goodwin LLP. HIPAA Alert STIMULUS PACKAGE SIGNIFICANTLY EXPANDS HIPAA REQUIREMENTS Shipman & Goodwin LLP HIPAA Alert March 2009 STIMULUS PACKAGE SIGNIFICANTLY EXPANDS HIPAA REQUIREMENTS The economic stimulus package, officially named the American Recovery and Reinvestment Act of 2009

More information

Sustainable HIPAA Compliance: Protecting Patient Privacy through Highly Leveraged Investments

Sustainable HIPAA Compliance: Protecting Patient Privacy through Highly Leveraged Investments View the Replay on YouTube Sustainable HIPAA Compliance: Protecting Patient Privacy through Highly Leveraged Investments FairWarning Executive Webinar Series October 31, 2013 Today s Panel Chris Arnold

More information

Intelligent Vendor Risk Management

Intelligent Vendor Risk Management Intelligent Vendor Risk Management Cliff Baker, Managing Partner, Meditology Services LeeAnn Foltz, JD Compliance Resource Consultant, WoltersKluwer Law & Business Agenda Why it s Needed Regulatory Breach

More information

OCR HIPAA Audit Readiness. ISACA - North Texas Chapter April 11, 2013

OCR HIPAA Audit Readiness. ISACA - North Texas Chapter April 11, 2013 ISACA - North Texas Chapter April 11, 2013 Introduction 1 2 Basic components of HIPAA and HITECH legislation HITECH and rising breaches 3 4 OCR HIPAA audits Key findings of the pilot audits 5 Approaches

More information

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? Introduction This material is designed to answer some of the commonly asked questions by business associates and other organizations

More information

Welcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013

Welcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013 Welcome to ChiroCare s Fourth Annual Fall Business Summit October 3, 2013 HIPAA Compliance Regulatory Overview & Implementation Tips for Providers Agenda Green packet Overview of general HIPAA terms and

More information

Can Your Diocese Afford to Fail a HIPAA Audit?

Can Your Diocese Afford to Fail a HIPAA Audit? Can Your Diocese Afford to Fail a HIPAA Audit? PETULA WORKMAN & PHIL BUSHNELL MAY 2016 2016 ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS Agenda Overview Privacy Security Breach Notification Miscellaneous

More information

Logging and Auditing in a Healthcare Environment

Logging and Auditing in a Healthcare Environment Logging and Auditing in a Healthcare Environment Mac McMillan CEO CynergisTek, Inc. OCR/NIST HIPAA Security Rule Conference Safeguarding Health Information: Building Confidence Through HIPAA Security May

More information

HIPAA Overview and updates since HITECH and PPACA

HIPAA Overview and updates since HITECH and PPACA HIPAA Overview and updates since HITECH and PPACA Presented by: Angela Miller, CMC, CHC Medical Auditing Solutions LLC 2013 (c)2013 Medical Auditing Solutions LLC 1 Learning Objectives Overview the high

More information

Arizona State University. HIPAA Compliance. Audit Report Number 15-08. May 7, 2015

Arizona State University. HIPAA Compliance. Audit Report Number 15-08. May 7, 2015 This page left blank intentionally. Summary The Health Insurance Portability and Accountability Act of 1996 (HIPAA) audit was included on the Arizona State University (ASU) FY 2015 annual audit plan approved

More information

Business Associates: HITECH Changes You Need to Know

Business Associates: HITECH Changes You Need to Know Business Associates: HITECH Changes You Need to Know Rebecca L. Williams, RN, JD Partner Co-chair of HIT/HIPAA Practice Davis Wright Tremaine LLP beckywilliams@dwt.com 1 Who Is a Business Associate? A

More information

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist HIPAA Omnibus Rule Overview Presented by: Crystal Stanton MicroMD Marketing Communication Specialist 1 HIPAA Omnibus Rule - Agenda History of the Omnibus Rule What is the HIPAA Omnibus Rule and its various

More information

Healthcare Horizons Webinar Series:

Healthcare Horizons Webinar Series: Healthcare Horizons Webinar Series: HIPAA and HITECH Enforcement Pete Enko peter.enko@huschblackwell.com 816.983.8312 Steve James steve.james@huschblackwell.com 816.983.8374 Husch Blackwell LLP Before

More information

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN Major Changes to HIPAA Security and Privacy Rules Enacted in Economic Stimulus Package By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN The HITECH Act is the

More information

HIPAA Security Risk Analysis for Meaningful Use

HIPAA Security Risk Analysis for Meaningful Use HIPAA Security Risk Analysis for Meaningful Use NOTE: Make sure your computer speakers are turned ON. Audio will be streaming through your speakers. If you do not have computer speakers, call the ACCMA

More information

Information Protection Framework: Data Security Compliance and Today s Healthcare Industry

Information Protection Framework: Data Security Compliance and Today s Healthcare Industry Information Protection Framework: Data Security Compliance and Today s Healthcare Industry Executive Summary Today s Healthcare industry is facing complex privacy and data security requirements. The movement

More information

HIPAA Audits: How to Be Prepared. Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality

HIPAA Audits: How to Be Prepared. Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality HIPAA Audits: How to Be Prepared Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality An Important Reminder For audio, you must use your phone: Step 1: Call (866) 906-0123.

More information

HIPAA, Subpoenas and Audits, Oh My! An Overview. Jonathan M. Joseph

HIPAA, Subpoenas and Audits, Oh My! An Overview. Jonathan M. Joseph HIPAA, Subpoenas and Audits, Oh My! An Overview Jonathan M. Joseph This is provided as an informational service and does not constitute legal counsel or advice, which can only be rendered in the context

More information

What s new In the News Data Breach Discussion The 5 W s Risk Analysis: Why, What, how, When, and Who Common Issues Observed Q / A Session Purdue

What s new In the News Data Breach Discussion The 5 W s Risk Analysis: Why, What, how, When, and Who Common Issues Observed Q / A Session Purdue What s new In the News Data Breach Discussion The 5 W s Risk Analysis: Why, What, how, When, and Who Common Issues Observed Q / A Session Purdue Healthcare Advisors The # of data breaches is climbing The

More information

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing HIPAA Omnibus Rule Practice Impact Kristen Heffernan MicroMD Director of Prod Mgt and Marketing 1 HIPAA Omnibus Rule Agenda History of the Rule HIPAA Stats Rule Overview Use of Personal Health Information

More information

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009 HIPAA and the HITECH Act Privacy and Security of Health Information in 2009 What is HIPAA? Health Insurance Portability & Accountability Act of 1996 Effective April 13, 2003 Federal Law HIPAA Purpose:

More information

HIPAA 101. March 18, 2015 Webinar

HIPAA 101. March 18, 2015 Webinar HIPAA 101 March 18, 2015 Webinar Agenda Acronyms to Know HIPAA Basics What is HIPAA and to whom does it apply? What is protected by HIPAA? Privacy Rule Security Rule HITECH Basics Breaches and Responses

More information

HIPAA Privacy: Refining Your Implementation. Presented by Rhys W. Jones HCCA Compliance Institute April 28, 2003

HIPAA Privacy: Refining Your Implementation. Presented by Rhys W. Jones HCCA Compliance Institute April 28, 2003 HIPAA Privacy: Refining Your Implementation Presented by Rhys W. Jones HCCA Compliance Institute April 28, 2003 Designated Record Sets (DRS) Covered entities must document contents of DRS For Providers:

More information

Preparing for the Phase II HIPAA Audits

Preparing for the Phase II HIPAA Audits Preparing for the Phase II HIPAA Audits The Phase II HIPAA Audits are expected to start soon. This document is a primer on where we have been, where we are going, and what you can do now to prepare for

More information

Overview of Presentation

Overview of Presentation Now You See It, Now You Don t: Data aabreaches Marti Arvin Chief Compliance Officer, UCLA Cheryl Washington Chief Information Security and Privacy Officer, Office of the President Deborah Yano-Fong Chief

More information

Zip It! Feds, State Strengthen Privacy Protection. Practice Management Feature July 2012. Tex Med. 2012;108(7):33-37.

Zip It! Feds, State Strengthen Privacy Protection. Practice Management Feature July 2012. Tex Med. 2012;108(7):33-37. Zip It! Feds, State Strengthen Privacy Protection Practice Management Feature July 2012 Tex Med. 2012;108(7):33-37. By Crystal Conde Associate Editor When it comes to enforcing HIPAA data security and

More information

View the Replay on YouTube

View the Replay on YouTube View the Replay on YouTube Privacy Implications of Texas HB 300: What Should You Be Doing Now? FairWarning Executive Webinar Series December 18, 2012 Agenda Privacy Implications of Texas HB 300: What Should

More information

2/27/2014. Meaningful Use as it Relates to HIPAA Compliance. Objectives and Agenda. Understand the statutory and regulatory background and purpose

2/27/2014. Meaningful Use as it Relates to HIPAA Compliance. Objectives and Agenda. Understand the statutory and regulatory background and purpose Meaningful Use as it Relates to HIPAA Compliance Sunday March 30, 2014, 9am noon HCCA Conference, San Diego CLAconnect.com Objectives and Agenda Understand the statutory and regulatory background and purpose

More information